Tuesday, 9 April 2013

AMI Firmware Source Code, Private Key Leaked

Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan.
Researcher Brandan Wilson found the company’s data hosted on an unnamed vendor’s FTP server. Among the vendor’s internal emails, system images, high-resolution PCB images and private Excel spreadsheets was the source code for different versions of AMI firmware, code that was current as of February 2012, along with the private signing key for the Ivy Bridge firmware architecture.
AMI builds the AMIBIOS BIOS firmware based on the UEFI specification for PC and server motherboards built by AMI and other manufacturers. The company started out as a motherboard maker, and also built storage controllers and remote management cards found in many Dell and HP computers.

“By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated and installed for the vendor’s products that use this Ivy Bridge firmware,” wrote Wilson’s research partner Adam Caudill in a blogpost. “If the vendor used this same key for other products, the impact could be even worse.”
Caudill told Threatpost in an email that there are some components missing that would be needed to build an UEFI image, though for someone familiar with the technology, it’s likely a simple process, he said.
“The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,” Caudill said. “Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.”
Firmware updates are tricky and require downtime; updates aren’t usually done unless there are performance or security issues that warrant an upgrade. In short, the impact of this leak could be longstanding.
“This kind of leak is a dream-come-true for advanced corporate espionage or intelligence operations,” Caudill wrote. “The ability to create a nearly undetectable, permanent hole in a system’s security is an ideal scenario for covert information collection.”
The researchers won’t name the vendor, FTP address or release any code, and said they have informed AMI and the vendor involved. Caudill said neither he nor Wilson have received a response.
“This vendor’s lax (non-existent?) security could have much broader repercussions though. For AMI, they now have a major piece of intellectual property freely available for download by competitors,” Caudill wrote. “For users, this code could now be subject to new scrutiny - if a security issue is found in the firmware, it could potentially impact all users whose firmware is based on the leaked code.”
This is the type of situation that has spurred a lot of discussion about supply chain security, in particular, questions about pre-installed hardware manufactured abroad. The 2013 Congressional Appropriations Act signed into law March 26 mandates that NASA, the U.S. Justice and Commerce departments, and the National Science Foundation must formally evaluate the risks associated with purchasing hardware built or put together by companies owned or operating in China.
These agencies are prohibited from buying IT equipment built or assembled in China unless a top official of the Chinese vendor sits down with the FBI or another federal agency and potential cyberespionage risks are assessed, the act said. The head of the assessing agency must then report his findings to the House and Senate Committees on Appropriations and decide whether the acquisition is in the “national interest” of the U.S.
The thinking is that it would be simple for hardware built and installed along the supply chain to contain malicious code that is difficult to detect without a comprehensive and expensive inspection. A report released last year cast suspicion on Chinese network gear manufacturers Huawei and ZTE because of the companies’ close ties with the Chinese government and allegations of security risks with their equipment present inside U.S. telecommunications companies and corporations.
As for AMI, the leak has not only security implications, but could impact the manufacturer’s viability in the market.
“I have no idea why [the unnamed vendor] made this available to the public; it's something that really shouldn't have happened,” Caudill said. In OEM relationships, source code is provided under a strict license to enable optimization for specific systems.  “This is a great example of carelessness that can have significant repercussions. I'm not sure if they didn't realize anonymous access was enabled or if they just didn't realize the implications of making this publicly available.”

Air Force Classifies Some Cybersecurity Tools as Weapons

The United States government for years has been developing and deploying offensive cyber capabilities, most of it done without much in the way of public notice.  That's been changing of late, as government and military officials have become more open in discussing these capabilities and under what circumstances they might be used. Now, the U.S. Air Force has said that it has classified six unnamed tools as weapons, mainly as a way to improve the chances of those tools receiving the funding they need.
The Air Force has emerged as one of the key military branches for offensive and defensive cyber capabilities. The U.S. Cyber Command is the overarching strategic command that's responsible for cybersecurity operations, and it comprises groups from the Army, Navy and Air Force. But it's the Air Force that has become the most vocal and public about its capabilities and intentions when it comes to cybersecurity.
At a conference in Colorado Springs on Monday, an Air Force general said that the branch has now classified six of its cyber capabilities as weapons. The move is an effort to make it easier for the Air Force, and presumably other branches as well, to get funding for these tools.
"It's very, very hard to compete for resources ... You have to be able to make that case," Lt. Gen. John Hyten said during the National Space Symposium, according to Reuters.
The budget process in Washington--always a convoluted and difficult one--has become even more problematic in the last couple of years as the economic environment has deteriorated and financial resources have become scarcer. Classifying offensive cybersecurity tools as weapons opens up a larger pool of money for their development. It is a semantic move that has little, if anything, to do with the tools themselves or how they're used.
The U.S. government has been speaking more openly about its development and use of offensive capabilities, and one aspect of that strategy is the need to secure funding, a constant worry for government officials. Intelligence officials said recently that cybersecurity threats have moved to the top of the heap in terms of dangers to U.S. national security. Constant attacks from state-sponsored groups from a number of countries have targeted U.S. military, government and private-sector networks, looking for valuable data to steal. These attacks have been going on for years, but only recently have they become a major talking point in Washington. The increased rhetoric on this topic from U.S. politicians has angered foreign governments, especially China's, but that hasn't seemed to change the message coming from Washington.
The U.S. and other countries have been using custom tools for offensive operations for many years now, and calling them weapons only changes the conversation in Washington, not the reality of their use.

UK to host global cybersecurity centre

Foreign Secretary William Hague has announced that a global centre for cybersecurity will be opened at the University of Oxford. The Global Centre for Cyber Security and Capacity Building will work to help countries develop comprehensive plans to deal with online threats. The government will provide £1m to fund the centre for the next two years. It will act as "a beacon of expertise" according to Mr Hague.
"The new global centre for cybersecurity... will co-ordinate global work on cyber-threats and cyber-policies which will help protect the UK's security," he said.
Necessary skills
Countries around the world are keen to increase their levels of cybersecurity in the wake of an unprecedented number of threats.
The US says that it has seen a steady rise in the number of cybersecurity attacks.
Last month a US-based cybersecurity firm accused a branch of China's military of stealing hundreds of terabytes of data from at least 141 organisations around the world.
Part of the Oxford centre's remit will be to ensure that countries have the necessary skills, workforce and technology to tackle online threats.
It will create a guide on some of the key issues as well as looking at ways to ensure that countries have access to relevant expertise on solving problems.
Prof Ian Goldin, director of the Oxford Martin School, where the centre will be based, said: "We are convinced that integrated thinking on cybersecurity is required to address these challenges."
Last month the government announced an initiative to share information on cyber-threats between businesses and governments, including a secure web portal to allow information to be shared in real time.

Cyberspace in Our Daily Lives

Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace. We rely on this vast array of networks to communicate and travel, power our homes, run our economy, and provide government services. Yet cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy.

Securing the Cyber Ecosystem

DHS plays a key role in securing the federal government's civilian cyber networks and helping to secure the broader cyber ecosystem through:
  • partnerships with owners and operators of critical infrastructure such as financial systems, chemical plants, and water and electric utilities
  • the release of actionable cyber alerts
  • investigations and arrests of cyber criminals, and
  • education about how the public can stay safe online.
Combating cyber threats is a shared responsibility. The public, private, and non-profit sectors, and every level of government – including DHS(Department of Home Security USA) – all have an important role to play.

Responding Quickly to Cyber Vulnerabilities

By maintaining a team of skilled cybersecurity professionals and partnering with the private sector, DHS has been able to effectively respond to cyber incidents; provide technical assistance to owners and operators of critical infrastructure and disseminate timely and actionable notifications regarding current and potential security threats and vulnerabilities. By leveraging the resources of the ICE Cyber Crimes Center, DHS has been integrally involved in Internet investigations concerning identity and document fraud, financial fraud, and smuggling.
 DHS also operates programs that help educate and recruit future generations of cybersecurity workers and arm citizens with the information they need to protect themselves online.

Value of Hacked PC

This is to explain simply and visually to the sort of computer user who can’t begin to fathom why miscreants would want to hack into his PC. “I don’t bank online, I don’t store sensitive information on my machine! I only use it to check email. What could hackers possibly want with this hunk of junk?,” are all common refrains from this type of user.


One of the ideas I tried to get across with this image is that nearly every aspect of a hacked computer and a user’s online life can be and has been commoditized. If it has value and can be resold, you can be sure there is a service or product offered in the cybercriminal underground to monetize it. I haven’t yet found an exception to this rule.

Cash Claws, Fake ATM and Skimmers

Credit and debit card skimmers aren’t just for ATMs anymore. According to European anti-fraud experts, innovative skimming devices are turning up on everything from train ticket kiosks to parking meters and a host of other unattended payment terminals.
Recently, at least five countries reported skimming attacks against railway or transport ticket machines, according to the European ATM Security Team (EAST), a not-for-profit organization that collects data on skimming attacks.  Two countries reported skimming attacks at parking machines, and three countries had skimming incidents involving point-of-sale terminals. EAST notes that Bluetooth devices increasingly are being used to transit stolen card and PIN data wirelessly.
Skimming devices found at train ticket kiosks in Europe. Source: EAST
The organization also is tracking a skimming trend reported by three countries (mainly in Latin America) in which thieves are fabricating fake ATM fascias and placing them over genuine ATMs, like the one pictured below. After entering their PIN, cardholders see an ‘out-of-order’ message. EAST said the fake fascias include working screens so that this type of message can be displayed. The card details are compromised by a skimming device hidden inside the fake fascia, and the PINs are captured via the built-in keypad, which overlays the real keypad underneath.
This fake ATM fascia includes a card skimmer and bogus PIN pad. Source: EAST "Cash claws" designed to pry additional bills from an ATM's cash dispensing slot. Source: EAST
1.This fake ATM fascia includes a card skimmer and bogus PIN pad   2. cash claw
EAST found that eight countries reported cash-trapping attacks at ATMs, with three of the eight nation’s reporting “significant increases” in this type of attack. The most common method of cash trapping used by crooks continues to involve what’s known as a “cash claw,” a device designed to be inserted into the cash dispense slot on an ATM and pry additional bills from the machine as it opens to dispense cash.
Another explanation: The claw is pushed into the dispenser by the thief. When a customer requests cash the cash becomes trapped in the claw and is not visible by the customer because its behind the cash shutter/slot. The machine reports a fault with dispensing and is unable to pull the cash back from the dispenser because the claw us trapping it. The thief returns when the victim leaves and forces the shutter open and pulls the claw and cash out. According to the ATM guy, this kind of attack can vary in how its performed. For example the shutter can be forced open first and the claw inserted.

Phoenix Exploit Kit Author Arrested

The creator of a popular crimeware package known as the Phoenix Exploit Kit was arrested in his native Russia for distributing malicious software and for illegally possessing multiple firearms, according to underground forum posts from the malware author himself.
The last version of the Phoenix Exploit Kit. Source: Xylibox.com
The Phoenix Exploit Kit is a commercial crimeware tool that until fairly recently was sold by its maker in the underground for a base price of $2,200. It is designed to booby-trap hacked and malicious Web sites so that they foist drive-by downloads on visitors.
Like other exploit packs, Phoenix probes the visitor’s browser for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader. If the visitor is unlucky enough to have fallen behind in applying updates, the exploit kit will silently install malware of the attacker’s choosing on the victim’s PC (Phoenix targets only Microsoft Windows computers).
The author of Phoenix — a hacker who uses the nickname AlexUdakov on several forums — does not appear to have been overly concerned about covering his tracks or hiding his identity. And as we’ll see in a moment, his online persona has been all-too-willing to discuss his current legal situation with former clients and fellow underground denizens.
Exploit.in forum member AlexUdakov selling his Phoenix Exploit Kit.

The Phoenix Exploit Kit author explained that he was arrested by FSB officers for distributing malware and the illegal possession of firearms, including two AKS-74U assault rifles, a Glock, a TT (Russian-made pistol), and a PM (also known as a Makarov). AlexUdakov said he lives in a flat with his wife and child. The main portion of his post reads, in part:
“On _th of May FSB operative performed a controlled purchase, the money was transferred through WebMoney.
1_ th of July FSB operatives arrested me and conducted searches at the residence, registered address, in the cars that I was using. All computers and storage devices were taken except for… a Wi-Fi router.
During the search at the place of residence thy have also taken 2 automatic machine guns AKS74U, Glock, TT handgun, PM Handgun, ammo.  I have no criminal record and gave a confession, was released on my own recognizance. I am indicted on 3 charges – conspiracy to distribute malicious software (article 273 of Russian Penal Code), unlawful production of firearms, ammo an explosives (article 223), unlawful possession of weapons, ammo and explosives (article 222)…..
…Then there were few months of waiting, and the computer forensic examination took place which attempted to declare the exploit pack to be malware. The examination took place in _Labs, the same place that gave preliminary opinion, which in turn became the basis for opening a criminal case. The examination determined the software (exploit pack) to be malware.”

WordPress.com Boosts Security

WordPress.com , a blog web hosting service provided, announced that they have enabled Two-step authentication feature to keep your blogger account secure.

Two factor authentication is a security feature that prompts you to enter a temporary secret number sent to your phone whenever you log into your account.

How to enable Two step authentication in Wordpress?
To enable this feature, go to the new Security tab in your WordPress.com account settings, and go through the setup wizard.

"We know your blog is important to you, and today we’re proud to announce Two Step Authentication: an optional new feature to help you keep your WordPress.com account secure." Wordpress.com blog post reads.